Embed v4 address in v6 as alternative to proxy_protocol

[candlerb]

trafficstars

This is a feature suggestion:

• Configure an IPv6 /96 pool in sniproxy.conf, e.g. fd46:1::/96
• If the inbound connection is v4 and the outbound is v6, then sniproxy can bind the source address of the outbound connection to one of the pool addresses, embedding the source v4 address of the inbound connection in the lower 32 bits
  • This can be done via AnyIP and IP_FREEBIND or sysctl net.ipv6.ip_nonlocal_bind
  • The upstream router also needs to static-route the block to the proxy host, of course

This would give a transparent way to keep the v4 source address visible in logs, without having to deal with proxy_protocol - so local connections and remote connections can be treated identically.

Demonstration proof-of-concept:

# Source machine (XXXX::11)
root@nuc1:~# ip -6 route add local fd46:1::/96 dev lo
root@nuc1:~# sysctl net.ipv6.ip_nonlocal_bind=1
net.ipv6.ip_nonlocal_bind = 1
root@nuc1:~# nc -s fd46:1::1.2.3.4 XXXX::36 80
GET / HTTP/1.0
....

# Target machine (XXXX::36)
root@netbox:~# ip -6 route add fd46:1::/96 via XXXX::11
root@netbox:~# tail -1 /var/log/apache2/other_vhosts_access.log
netbox.example.net:80 fd46:1::102:304 - - [04/Mar/2021:13:52:00 +0000] "GET / HTTP/1.0\n" 400 0 "-" "-"
                              ^^^^^^^

[synnack]

Nice concept. More elegant than transparent proxying too I think, if you're certain you'll be contacting IPv6 destinations.